Detection rules › Kusto Query Language

Gain Code Execution on ADFS Server via Remote WMI Execution

'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution. In order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21. If you do not have Sysmon data in your workspace this query will raise an error stating: Failed to resolve scalar expression named "[@Name]" For more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/. The query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details. - ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml'

MITRE ATT&CK coverage

Tactic	Techniques
Lateral Movement	`T1210` Exploitation of Remote Services

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	19	WmiEvent (WmiEventFilter activity detected)
Sysmon	20	WmiEvent (WmiEventConsumer activity detected)
Sysmon	21	WmiEvent (WmiEventConsumerToFilter activity detected)
Security-Auditing	4624	An account was successfully logged on.
Security-Auditing	4688	A new process has been created.

<union>

union of 3 branches